alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
dc9bd3bba4f740c0197d1e5128058ca20429b4f4
web-app-launcher/plans/mvp-web-app-launcher/phase-3-authentication.md
T

71 lines
3.5 KiB
Markdown
Raw Blame History

# Phase 3: Authentication System
**Status:** ⬜ Not Started
**Parent plan:** [PLAN.md](./PLAN.md)
**Domain:** fullstack
## Objective
Implement the full local authentication flow: login, registration, session management with JWT + refresh tokens in HTTP-only cookies, auth middleware in hooks.server.ts, and guest mode support.
## Tasks
- [ ] Task 1: Implement `src/lib/server/utils/jwt.ts` — sign, verify, refresh token generation
- [ ] Task 2: Implement `src/lib/server/utils/password.ts` — bcrypt hash/compare
- [ ] Task 3: Implement `src/hooks.server.ts` — auth middleware, session injection into `event.locals`
- [ ] Task 4: Create `src/routes/login/+page.server.ts` — login form action (Superforms + Zod)
- [ ] Task 5: Create `src/routes/login/+page.svelte` — login page UI
- [ ] Task 6: Create `src/routes/register/+page.server.ts` — registration form action (respects admin toggle)
- [ ] Task 7: Create `src/routes/register/+page.svelte` — registration page UI
- [ ] Task 8: Create `src/routes/auth/refresh/+server.ts` — token refresh endpoint
- [ ] Task 9: Create `src/routes/+layout.server.ts` — root layout load: inject user session
- [ ] Task 10: Create `src/routes/+layout.svelte` — root layout shell (minimal, polished in Phase 7)
- [ ] Task 11: Implement `src/lib/server/middleware/authenticate.ts` — reusable auth check helper
- [ ] Task 12: Implement `src/lib/server/middleware/authorize.ts` — role-based access check
- [ ] Task 13: Implement `src/lib/server/middleware/guestAccess.ts` — guest mode board visibility
- [ ] Task 14: Create `src/routes/+page.svelte` — root page (redirect to default board or login)
- [ ] Task 15: Create logout endpoint/action — invalidate refresh token, clear cookies
## Files to Modify/Create
- `src/hooks.server.ts` — auth middleware
- `src/lib/server/utils/jwt.ts` — JWT utilities
- `src/lib/server/utils/password.ts` — password utilities
- `src/lib/server/middleware/authenticate.ts`
- `src/lib/server/middleware/authorize.ts`
- `src/lib/server/middleware/guestAccess.ts`
- `src/routes/login/+page.svelte`
- `src/routes/login/+page.server.ts`
- `src/routes/register/+page.svelte`
- `src/routes/register/+page.server.ts`
- `src/routes/auth/refresh/+server.ts`
- `src/routes/+layout.server.ts`
- `src/routes/+layout.svelte`
- `src/routes/+page.svelte`
- `src/app.d.ts` — augment `Locals` with user session type
## Acceptance Criteria
- Users can register (when enabled) and log in with email/password
- JWT access token + refresh token issued in HTTP-only cookies
- `hooks.server.ts` validates tokens on every request and injects user into `event.locals`
- Refresh token rotation works (old token invalidated)
- Logout clears cookies and invalidates refresh token
- Guest mode: unauthenticated users can access guest-accessible boards
- Protected routes redirect to login
- Form validation with Superforms + Zod shows errors inline
## Notes
- Access token expiry: 15 minutes; Refresh token expiry: 7 days
- Store refresh tokens in DB (User model) for server-side invalidation
- OAuth is deferred to Phase 2 of the project (post-MVP)
- Registration toggle is read from SystemSettings
- ⚠️ Big Bang: login page will be functional but unstyled/minimal until Phase 7
## Review Checklist
- [ ] All tasks completed
- [ ] Code follows project conventions
- [ ] No unintended side effects
- [ ] Build passes
- [ ] Tests pass (new + existing)
## Handoff to Next Phase
<!-- Filled in by the implementation agent after completing this phase. -->
Reference in New Issue View Git Blame Copy Permalink